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What is claimed is : 

1 1 . A method comprising: 

2 in a global operating system environment controlled by a single operating system 

3 kernel instance, establishing a non-global zone for isolating processes from 

4 processes in other non-global zones, wherein the non-global zone has a unique 

5 zone identifier; 

6 receiving from a first process executing in association with the non-global zone a first 

7 request to create a communications object; 

8 in response to receiving the first request, creating a communications object, wherein 

9 the communications object has the unique zone identifier of the first process 

10 associated therewith; 

1 1 receiving from a second process a second request to initiate communications using 

12 the communications object; 

13 in response to receiving the second request, determining if the second process is 

14 associated with the non-global zone having the unique zone identifier of the 

15 communications object; and 

16 denying the second request if the second process is not associated with the non-global 

17 zone having the unique zone identifier of the communications object. 

1 2. The method of claim 1 , further comprising: 

2 permitting the second request if the second process is associated with the non-global 

3 zone having the same unique zone identifier of the communications object. 
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1 3. The method of claim 1, wherein the communications object has an object identifier, 

2 and wherein creating a communications object further comprises: 

3 creating a communications object having a communications object identifier; 

4 associating a zone identifier of the requesting process with the communications 

5 object; 

6 storing the communications object identifier and the zone identifier in a structure for 

7 managing communications objects in the non-global zone comprising the first 

8 process; 

9 thereby enabling a first communications object in a first non-global zone and a 

10 second communications object in a second non-global zone to use identical 

1 1 communications object identifiers. 

1 4. The method of claim 3, wherein the communications object identifier comprises at 

2 least one of an address, a socket identifier, a port, a flex address, a semaphore 

3 identifier, a message queue identifier, a shared memory segment identifier, a pipe and 

4 a stream identifier. 

1 5. The method of claim 1, wherein establishing a non-global zone for isolating processes 

2 from processes in other non-global zones further comprises: 

3 creating a non-global zone; 

4 associating a unique identifier with the non-global zone; and 

5 creating a data structure for managing information about communications objects 

6 associated with the non-global zone. 
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1 6. The method of claim 1, wherein receiving from a second process a request to initiate 

2 communications using the communications object comprises receiving a request from 

3 a requestor process in a first non-global zone to communicate with a recipient process 

4 in a second non-global zone, the method further comprising: 

5 retrieving credentials for the requestor process, the credentials comprising a zone 

6 identifier indicating a non-global zone to which the requestor process is 

7 bound; 

8 verifying that the requestor process is authorized to communicate with the recipient 

9 process across a non-global zone boundary based upon the credentials; and 

10 establishing a communication path between the requestor process and the recipient 

1 1 process via the global operating system environment if the requestor process 

12 is authorized. 

1 7. The method of claim 1, wherein the communications object comprises at least one of 

2 a loopback transport provider, a semaphore, a shared memory segment, a message 

3 queue and an event channel. 

18. A method comprising: 

2 in a global operating system environment controlled by a single operating system 

3 kernel instance, establishing a non-global zone for isolating processes from 

4 processes in other non-global zones; 

5 mounting a file system to a global file system of the global operating system 

6 environment at a point accessible by processes in one non-global zone; 

7 establishing a file system location in the file system of the non-global zone; 

8 establishing a communications object within the file system location; 
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9 establishing access permissions for the file system locations; 

10 receiving from a first process a request to initiate communications using the 

1 1 communications object; 

12 in response to receiving the request, determining if the first process is authorized to 

13 access the file system location of the communications object; 

14 denying the request if the first process is not authorized to access the file system 

15 location of the communications object. 

1 9. The method of claim 8, wherein the first communication object and the second 

2 communications object employ at least one of a pipe, a stream, a socket, a POSIX 

3 inter-process communications and a doors interface. 

1 10. The method of claim 8, wherein receiving from a first process a request to initiate 

2 communications using the communications object comprises receiving a request from 

3 a first processes in a first non-global zone to communicate with a second processes in 

4 a second non-global zone, the method further comprising: 

5 retrieving credentials for the first process, the credentials comprising a zone identifier 

6 indicating a non-global zone to which the first process is bound; 

7 verifying that the first process is authorized to communicate with the second process 

8 across a non-global zone boundary based upon the credentials; and 

9 establishing a communication path between the first process and the second process if 
10 the first process is authorized. 
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1 11. The method of claim 10, wherein the first process in the first non-global zone 

2 communicates with the second process in the second non-global zone using at least 

3 one of an event channel and a doors interface. 



1 12. A method comprising: 

2 establishing a non-global zone for isolating processes from processes in other non- 

3 global zones in a global operating system environment; 

4 responsive to a first request, creating a communications object having a unique 

5 identifier corresponding to the non-global zone of a process making the first 

6 request; and 

7 responsive to a second request, initiating a communications using the 

8 communications object for a process making the second request, if the process 

9 making the second request is determined to be associated with the non-global 

10 zone having a unique identifier matching the unique identifier of the 

1 1 communications object. 

1 13. A computer readable medium, comprising: 

2 instructions for causing one or more processors to establish a non-global zone for 

3 isolating processes from processes in other non-global zones in an operating 

4 system environment controlled by a single operating system kernel instance, 

5 wherein the non-global zone has a unique zone identifier; 

6 instructions for causing one or more processors to receive from a first process 

7 executing in association with the non-global zone a first request to create a 

8 communications object; 
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9 instructions for causing one or more processors to create a communications object, in 

10 response to receiving the first request, wherein the communications object has 

1 1 the unique zone identifier of the first process associated therewith; 

12 instructions for causing one or more processors to receive from a second process a 

13 second request to initiate communications using the communications object; 

14 instructions for causing one or more processors to determine, in response to receiving 

15 the second request, if the second process is associated with the non-global 

16 zone having the unique zone identifier of the communications object; and 

17 instructions for causing one or more processors to deny the second request if the 

18 second process is not associated with the non-global zone having the unique 

19 zone identifier of the communications object. 

1 14. The computer readable medium of claim 13, further comprising: 

2 instructions for causing one or more processors to permit the second request if the 

3 second process is associated with the non-global zone having the same unique 

4 zone identifier of the communications object. 

1 15. The computer readable medium of claim 13, wherein the communications object has 

2 an object identifier, and wherein instructions for causing one or more processors to 

3 create a communications object further comprise: 

4 instructions for causing one or more processors to create a communications object 

5 having a communications object identifier; 

6 instructions for causing one or more processors to associate a zone identifier of the 

7 requesting process with the communications object; and 
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8 instructions for causing one or more processors to store the communications object 

9 identifier and the zone identifier in a structure for managing communications 

10 objects in the non-global zone comprising the first process; 

1 1 thereby enabling a first communications object in a first non-global zone and a 

12 second communications object in a second non-global zone to use identical 

13 communications object identifiers. 

1 16. The computer readable medium of claim 15, wherein a communications object 

2 identifier comprises at least one of an address, a socket identifier, a port, a flex 

3 address, a semaphore identifier, a message queue identifier, a shared memory 

4 segment identifier, a pipe and a stream identifier. 

1 17. A computer readable medium of claim 13, wherein instructions for causing one or 

2 more processors to establish a non-global zone for isolating processes from processes 

3 in other non-global zones further comprises: 

4 instructions for causing one or more processors to create a non-global zone; 

5 instructions for causing one or more processors to associate a unique identifier with 

6 the non-global zone; and 

7 instructions for causing one or more processors to create a data structure for 

8 managing information about communications objects associated with the non- 

9 global zone. 

1 18. A computer readable medium of claim 13, wherein instructions for causing one or 

2 more processors to receive from a second process a request to initiate 

3 communications using the communications object comprises instructions for causing 
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4 one or more processors to receive a request from a requestor process in a first non- 

5 global zone to communicate with a recipient process in a second non-global zone, the 

6 computer readable medium further comprising: 

7 instructions for causing one or more processors to retrieve credentials for the 

8 requestor process, the credentials comprising a zone identifier indicating a 

9 non-global zone to which the requestor process is bound; 

10 instructions for causing one or more processors to verify that the requestor process is 

1 1 authorized to communicate with the recipient process across a non-global 

12 zone boundary based upon the credentials; and 

13 instructions for causing one or more processors to establish a communication path 

14 between the requestor process and the recipient process via the global 

15 operating system environment if the requestor process is authorized. 

1 19. A computer readable medium of claim 13, wherein the communications object 

2 comprises at least one of a loopback transport provider, a semaphore, a shared 

3 memory segment, a message queue and an event channel. 

1 20. A computer readable medium, comprising: 

2 instructions for causing one or more processors to establish a non-global zone for 

3 isolating processes from processes in other non-global zones in a global 

4 operating system environment controlled by a single operating system kernel 

5 instance; 

6 instructions for causing one or more processors to mount a file system to a global file 

7 system of the global operating system environment at a point accessible by 

8 processes in one non-global zone; 
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9 instructions for causing one or more processors to establish a file system location in 

10 the file system of the non-global zone; 

1 1 instructions for causing one or more processors to establish a communications object 

12 within the file system location; 

13 instructions for causing one or more processors to establish access permissions for the 

14 file system locations; 

15 instructions for causing one or more processors to receive from a first process a 

16 request to initiate communications using the communications object; 

17 instructions for causing one or more processors to determine, in response to receiving 

18 the request, if the first process is authorized to access the file system location 

19 of the communications object; and 

20 instructions for causing one or more processors to deny the request if the first process 

21 is not authorized to access the file system location of the communications 

22 object. 

1 21. The computer readable medium of claim 20, wherein the first communication object 

2 and the second communications object employ at least one of a pipe, a stream, a 

3 socket, a POSIX inter-process communications and a doors interface. 

1 22. A computer readable medium of claim 20, wherein the instructions for causing one or 

2 more processors to receive from a first process a request to initiate communications 

3 using the communications object comprise instructions for causing one or more 

4 processors to receive a request from a first processes in a first non-global zone to 

5 communicate with a second processes in a second non-global zone, the computer 

6 readable medium further comprising: 
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7 instructions for causing one or more processors to retrieve credentials for the first 

8 process, the credentials comprising a zone identifier indicating a non-global 

9 zone to which the first process is bound; 

10 instructions for causing one or more processors to verify that the first process is 

1 1 authorized to communicate with the second process across a non-global zone 

12 boundary based upon the credentials; and 

13 instructions for causing one or more processors to establish a communication path 

14 between the first process and the second process if the first process is 

15 authorized. 

1 23. A computer readable medium of claim 22, wherein the first processes in the first non- 

2 global zone communicates with the second processes in the second non-global zone 

3 using at least one of an event channel and a doors interface. 

1 24. A computer readable medium comprising: 

2 instructions for causing one or more processors to establish a non-global zone for 

3 isolating processes from processes in other non-global zones in a global 

4 operating system environment; 

5 instructions for causing one or more processors to create a communications object 

6 responsive to a first request, the communications object having a unique 

7 identifier corresponding to the non-global zone of a process making the first 

8 request; and 

9 instructions for causing one or more processors to initiate a communications using the 

10 communications object responsive to a second request, if the process making 

1 1 the second request is determined to be associated with the non-global zone 
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12 having a unique identifier matching the unique identifier of the 

13 communications object. 

1 25. An apparatus, comprising: 

2 means for establishing a non-global zone for isolating processes from processes in 

- 3 other non-global zones in a global operating system environment controlled 

4 by a single operating system kernel instance, wherein the non-global zone has 

5 a unique zone identifier; 

6 means for receiving from a first process executing in association with the non-global 

7 zone a first request to create a communications object; 

8 means for creating a communications object, in response to receiving the first request, 

9 wherein the communications object has the unique zone identifier of the first 

10 process associated therewith; 

1 1 means for receiving from a second process a second request to initiate 

12 communications using the communications object; 

13 means for determining, in response to receiving the second request, if the second 

14 process is associated with the non-global zone having the unique zone 

15 identifier of the communications object; and 

16 means for denying the second request if the second process is not associated with the 

17 non-global zone having the unique zone identifier of the communications 

18 object. 

1 26. An apparatus, comprising: 

2 means for establishing a non-global zone for isolating processes from processes in 

3 other non-global zones in a global operating system environment controlled 

4 by a single operating system kernel instance; 
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5 means for mounting a file system to a global file system of the global operating 

6 system environment at a point accessible by processes in one non-global zone; 

7 means for establishing a file system location in the file system of the non-global zone; 

8 means for establishing a communications object within the file system location; 

9 means for establishing access permissions for the file system locations; 

10 means for receiving from a first process a request to initiate communications using 

1 1 the communications object; 

12 means for determining, in response to receiving the request, if the first process is 

13 authorized to access the file system location of the communications object; 

14 and 

15 means for denying the request if the first process is not authorized to access the file 

16 system location of the communications object. 

1 27. An apparatus, comprising: 

2 means for establishing a non-global zone for isolating processes from processes in 

3 other non-global zones in a global operating system environment; 

4 means for creating, responsive to a first request, a communications object having a 

5 unique identifier corresponding to the non-global zone of a process making 

6 the first request; and 

7 means for initiating, responsive to a second request, communications using the 

8 communications object for a process making the second request, if the process 

9 making the second request is determined to be associated with the non-global 

10 zone having a unique identifier matching the unique identifier of the 

1 1 communications object. 
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